The OS database from the p0f project is used by psad to passively fingerprint remote operating systems. This database is installed by psad as the file /etc/ psad/pf.os and is imported at psad startup (or when psad receives a hangup or HUP signal via the kill command or from psad -H).
7 This requires fwsnort to perform a string match against SSH application layer data; there is more on this topic in Chapter 9.
Here is an example of a p0f fingerprint for Linux:
S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4/2.6 <= 2.6.7
You can find more material on the topic of passive OS fingerprinting (including a breakdown of the p0f signature format above) in Chapter 7.
Was this article helpful?